Nerdbank.MessagePack Stack Overflow Vulnerability (CVE-2026-44375) Patched
The National Vulnerability Database has detailed CVE-2026-44375, a high-severity uncontrolled stack allocation vulnerability impacting Nerdbank.MessagePack versions prior to 1.1.62. This library is a NativeAOT-compatible MessagePack serialization solution.
According to the National Vulnerability Database, the flaw resides in the DateTime decoding process. A malicious MessagePack payload can declare an oversized timestamp extension length. This forces the reader to allocate an attacker-controlled number of bytes on the stack, ultimately triggering an uncatchable StackOverflowException that terminates the process. The vulnerability carries a CVSS score of 7.5 (HIGH).
This is a critical denial-of-service vector. Defenders must understand that process termination, especially in critical services, can be as damaging as data exfiltration or integrity compromise. The fix is available in Nerdbank.MessagePack version 1.1.62, and immediate upgrades are essential to mitigate this risk.
What This Means For You
- If your applications utilize Nerdbank.MessagePack, check your dependency versions immediately. Any version prior to 1.1.62 is vulnerable to a denial-of-service attack via a crafted MessagePack payload. Patch to 1.1.62 without delay to prevent process termination.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44375: Nerdbank.MessagePack Stack Overflow via Oversized Timestamp Extension
title: CVE-2026-44375: Nerdbank.MessagePack Stack Overflow via Oversized Timestamp Extension
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-44375 by sending a crafted MessagePack payload with an oversized timestamp extension length. This specific pattern in the query string indicates an attempt to trigger a StackOverflowException in the Nerdbank.MessagePack library before version 1.1.62.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44375/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'timestamp_extension_length='
cs-uri-query|contains:
- 'oversized_value'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44375 | DoS | Nerdbank.MessagePack library versions prior to 1.1.62 |
| CVE-2026-44375 | DoS | Uncontrolled stack allocation vulnerability in DateTime decoding |
| CVE-2026-44375 | DoS | Malicious MessagePack payload with oversized timestamp extension length |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42589: Gotenberg RCE via ExifTool Argument Injection
CVE-2026-42589 — Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes...
CVE-2026-42283: DevSpace UI WebSocket Exposes Developer Endpoints
CVE-2026-42283 — DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins...
CVE-2026-40893: Gotenberg Allows Arbitrary File Manipulation
CVE-2026-40893 — Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName...